Add Garage S3-compatible object store to platform

Cluster-local object store for build artifacts (CLI binaries etc.)
so Docker builds don't depend on flaky external downloads.

- Single-node Garage v1.0.1 StatefulSet (LMDB, replication=1)
- Metadata on longhorn-nvme (1Gi), data on longhorn HDD (20Gi)
- S3 API at garage.platform.svc:3900
- External ingress at s3.coreworlds.io (internal-only)
- SealedSecret for admin token and RPC secret

infra/kubernetes/platform/traefik/certificate-internal.yaml

@@ -62,3 +62,16 @@ spec:
     kind: ClusterIssuer
   dnsNames:
     - gitea.coreworlds.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: garage-s3-tls
+  namespace: platform
+spec:
+  secretName: garage-s3-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - s3.coreworlds.io

infra/kubernetes/platform/traefik/ingressroute-garage.yaml

@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: garage-s3
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`s3.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: garage
+          namespace: platform
+          port: 3900
+  tls:
+    secretName: garage-s3-tls

infra/kubernetes/platform/traefik/kustomization.yaml

@@ -9,5 +9,6 @@ resources:
   - ingressroute-longhorn.yaml
   - ingressroute-harness.yaml
   - ingressroute-gitea.yaml
+  - ingressroute-garage.yaml
   - certificate-internal.yaml
   - servicemonitor.yaml